summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Revert change to certificate request check from r1.45.jsing2020-01-251-3/+3
| | | | | | This code was correct, it was the entry in the table that was incorrect. ok beck@
* Only perform the downgrade check if our max version is less than TLSv1.3.jsing2020-01-251-15/+17
| | | | | | | Issue noticed by kn@ when talking to a TLSv1.3 capable mail server, but with smtpd capping max version to TLSv1.2. ok beck@
* Preserve the transcript hash for the client finished message,beck2020-01-251-2/+3
| | | | | | and correct the message type for certificate request. ok jsing@
* Support legacy message callbacks. First step for SSL_set_msg_callback(3)tb2020-01-253-3/+40
| | | | | | support. Makes openssl s_client -msg work for handshake messages. ok beck jsing
* Correct value for SSL_TLSEXT_MSG_HRR.jsing2020-01-251-2/+2
| | | | ok beck@ tb@
* Only discard the extension block for client hello and server hellojsing2020-01-251-2/+3
| | | | | | | | | messages. TLSv1.3 messages that include extensions need a length prefixed field with zero bytes, rather than no data at all. ok beck@ tb@
* Only send an RI extension for pre-TLSv1.3 versions.jsing2020-01-251-2/+2
| | | | ok beck@
* It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3jsing2020-01-253-4/+24
| | | | | | | | | | | | client hello. Allow pre-TLSv1.3 alerts (including warnings) to be received before the server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that we are using TLSv1.3. Noticed by ajacoutot@ while connecting to www.openprinting.org. ok tb@
* Correct backwards test so that we may accept a certificate requstbeck2020-01-251-3/+3
| | | | | | from the server. ok jsing@
* add a couple of XXX for future cleanuptb2020-01-251-1/+4
|
* Disable the client hello message regress test for now.jsing2020-01-251-2/+2
| | | | | | | The golden values have changed due to TLSv1.3 and will likely change more in the near future. This will be updated and re-enabled when things settle. Discussed with beck@
* Ensure that TLSv1.0 and TLSv1.1 are enabled before running SSLv2 clientjsing2020-01-251-5/+10
| | | | hello tests.
* Teach openssl s_client a bit about TLSv1.3.tb2020-01-241-2/+17
| | | | ok beck jsing
* Complete the initial TLSv1.3 implementation.jsing2020-01-243-14/+300
| | | | ok beck@ tb@
* Preserve the TLS transcript at additional points.jsing2020-01-241-9/+23
| | | | | | | | | This is needed for the TLSv1.3 server and will also be needed for client certificate authentication. Note that we preserve on receive but before recording the new handshake message, whereas we preserve on send after recording the new handshake message. ok tb@
* Permit 0 length writes, because openssl s_client is specialbeck2020-01-241-2/+2
| | | | ok jsing@
* Store the legacy session identifier from the ClientHello so we can actuallyjsing2020-01-241-1/+10
| | | | | | echo it. ok beck@ tb@
* Switch to encrypted records in the TLSv1.3 server.jsing2020-01-243-4/+78
| | | | | | | This adds code to perform key derivation and set the traffic keys once the ServerHello message has been sent, enabling encrypted records. ok beck@ tb@
* Enable SSL_ENC_FLAG_SIGALGS on TLSv1_3_enc_data.jsing2020-01-241-2/+2
| | | | | | This means that we actually try to process and use signature algorithms. ok beck@ tb@
* Add strings for SSL_aTLS1_3 and SSL_kTLS1_3 to SSL_CIPHER_description().jsing2020-01-241-1/+7
| | | | | | | Mkaes `openssl ciphers -v` print au and kx values for TLSv1.3 cipher suites. ok beck@ tb@
* Fix breakage in SSL_connect, SSL_accept, etc. by not propagatingbeck2020-01-243-13/+42
| | | | | | | | | new retry conditions from the record layer all the way up to the callers. Instead we catch them at the top of the record layer and retry the operations, unless we actually got a retry indicated from actual IO operations. ok jsing@ tb@
* Implement client hello processing in the TLSv1.3 server.jsing2020-01-233-10/+58
| | | | ok beck@
* Correct several issues in the current TLSv1.3 server code.jsing2020-01-231-6/+15
| | | | | | | | | | | | | Correct the parsing of the client hello support versions extension. This has one or more values, rather than just the single selected version. Allocate an SSL_SESSION - this is unused currently, but is needed as soon as we start parsing extensions. Also, pull the cipher suites list off correctly - this is u16 prefixed, not u8. ok beck@
* When certificate validation fails, we must send a DECRYPT_ERROR alertbeck2020-01-231-3/+6
| | | | | | according to RFC8446. ok jsing@
* Remove the ssl_get_message function pointer from SSL_METHOD_INTERNAL.jsing2020-01-236-47/+27
| | | | | | | | | ssl_get_message is essentially a switch between ssl3_get_message and dtls1_get_message, both only used by the legacy stack. Instead, use SSL_IS_DTLS() in ssl3_get_message to call the DTLS function when necessary. ok beck@ inoguchi@ tb@
* Implement sending client certificate requests for 1.3 serverbeck2020-01-231-1/+13
| | | | ok jsing@
* Correctly handle TLSv1.3 ciphers suites in ssl3_choose_cipher().jsing2020-01-234-5/+30
| | | | | | | | | | Currently, TLSv1.3 cipher suites are filtered out by the fact that they have authentication and key exchange algorithms that are not being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher() works for TLSv1.3, however we also now need to ensure that we filter out TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3. ok beck@ tb@
* Build the encrypted extensions for the 1.3 serverbeck2020-01-231-2/+8
| | | | ok jsing@
* If we are building a legacy server hello, check to see if we arebeck2020-01-231-1/+20
| | | | | | | | downgrading from TLS 1.3. If we are, set the last 8 bytes of the server_random value to the required values as per RFC 8446 section 4.1.3 indicating that we deliberately meant to downgrade. ok jsing@
* Add checking int the client to check the magic values which arebeck2020-01-233-3/+30
| | | | | | | set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per RFC 8446 section 4.1.3 ok jsing@
* Add code to build and send a server hello for tls 1.3beck2020-01-231-3/+40
| | | | ok jsing@
* Save the legacy session id in the client, and enforce that it is returnedbeck2020-01-232-7/+18
| | | | | | the same from the server. ok jsing@ tb@
* Implement pending for TLSv1.3.jsing2020-01-234-6/+42
| | | | | | Makes `openssl s_client -peekaboo` work with TLSv1.3. ok beck@ tb@
* The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to findtb2020-01-231-30/+67
| | | | | | | | | | | | | | | | CA certs it couldn't find otherwise. This may lead to a pledge rpath violation reported by Kor, son of Rynar. Unfortunately, providing certs inside a directory is common in linuxes, so we need to keep this functionality for portable. Check if /etc/ssl/cert.pem and /etc/ssl/cert exist and pledge accordingly. Add unveils to restrict this program further on a default OpenBSD install. Fix -C to look only inside the provided root bundle. Input from jsing and sthen, tests by sthen and Kor ok beck, jsing, sthen (after much back and forth)
* Remove lies from the SSL_pending man page, Our implementation neverbeck2020-01-231-22/+3
| | | | | | advances the record layer, it only reports internal state. ok jsing@ tb@
* Make -peekaboo mode also use SSL_pending after peeking, to ensurebeck2020-01-231-2/+9
| | | | | | SSL_pending implementation is correct. annoying jsing@
* Switch back to a function pointer for ssl_pending.jsing2020-01-233-14/+24
| | | | | | | This will allow the TLSv1.3 stack to provide its own implementation. Nuke a completely bogus comment from SSL_pending() whilst here. ok beck@
* Add a TLS13_IO_ALERT return value so that we can explicitly signal whenjsing2020-01-233-11/+22
| | | | | | | | | | we sent or received a fatal alert. Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure). ok beck@ tb@
* Pass a CBB to TLSv1.3 send handlers.jsing2020-01-234-50/+44
| | | | | | | This avoids the need for each send handler to call tls13_handshake_msg_start() and tls13_handshake_msg_finish(). ok beck@ tb@
* The length of the IV of EVP_chacha20 is currently 64 bits, not 96.tb2020-01-221-3/+3
| | | | ok beck
* Wire up the TLSv1.3 server.jsing2020-01-223-6/+182
| | | | | | | | This currently only has enough code to handle fallback to the legacy TLS stack for TLSv1.2 or earlier, however allows for further development and testing. ok beck@
* Pass a handshake message content CBS to TLSv1.3 receive handlers.jsing2020-01-225-85/+70
| | | | | | | | | This avoids every receive handler from having to get the handshake message content itself. Additionally, pull the trailing data check up so that each receive handler does not have to implement it. This makes the code more readable and reduces duplication. ok beck@ tb@
* Fix things so that `make -DTLS1_3` works again.jsing2020-01-221-1/+3
|
* Send alerts on certificate verification failures of server certsbeck2020-01-221-2/+2
| | | | ok tb@
* Rename failure into alert_desc in tlsext_ocsp_server_parse().tb2020-01-221-5/+5
|
* fix previous: alert_desc needs to be an int.tb2020-01-221-2/+2
|
* Avoid modifying alert in the success path.tb2020-01-221-11/+17
| | | | ok beck jsing
* Enable the TLSv1.3 client in libssl.jsing2020-01-221-2/+3
| | | | | | | | | | | | | | This also makes it available to clients that use libtls, including ftp(1) and nc(1). Note that this does not expose additional defines via public headers, which means that any code conditioning on defines like TLS1_3_VERSION or SSL_OP_NO_TLSv1_3 will not enable or use TLSv1.3. This approach is necessary since too many pieces of software assume that if TLS1_3_VERSION is available, other OpenSSL 1.1 API will also be available, which is not necessarily the case. ok beck@ tb@
* Correct includes check for libtls.jsing2020-01-221-2/+2
|
* Add checks to ensure that lib{crypto,ssl,tls} public headers have actuallyjsing2020-01-223-3/+33
| | | | | | been installed prior to building. Requested by and ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-26 03:49:19 +0000